[Emerging-Sigs] Sig for generic fake SSL cert used by Trojan campaign

Martin Holste mcholste at gmail.com
Tue Oct 19 14:56:48 EDT 2010


Ha ha yes, I believe I need to get that "muscle memory" going with the
gmail keyboard shortcuts as recommended...

On Tue, Oct 19, 2010 at 1:49 PM, Mike Lococo <mikelococo at gmail.com> wrote:
> On 10/19/2010 02:00 PM, Martin Holste wrote:
>>> Matt already agreed to enable these by default, but as an aside... it's
>>> worth noting that Internet Widgets Pty won't be offended because it
>>> isn't a real company.  They're just a demo field in the OpenSSL Demo CA
>>> cert.
>>
>> LOL, yes, that's why I was so sure "they" wouldn't mind.
>>
>> Seriously though, no thoughts from anyone on ssl_state performance?
>
> I haven't tested, but intuitively it makes sense that 'ssl_state:
> server_hello;' should be more efficient than what I wrote, which would
> have been content matching on every server-to-client packet in an
> established connection.
>
> Matt, do we want to replace:
>
>    "ssl_version:sslv2,sslv3,tls1.0,tls1.1,tls1.2;"
>
> with
>
>    "ssl_state: server_hello;"
>
> in sids...
>
>    sid:2011539 - ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)
>    sid:2011540 - ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
>    sid:2011541 - ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)
>    sid:2011542 - ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O)
>
> Cheers,
> Mike Lococo
>
> PS - Responding to the list because the use of "anyone" in Martin's
> response makes me think it went to me personally by mistake.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list